Microsoft and security, better bedfellows than supposed


Microsoft has a system to make its software secure. Seriously.

In the past the software giant has copped a lot of criticism from the industry about the security of its products. But in the last few years, the company has really turned it around.

I have spent the last few days in the London docklands, surrounded by spooks and security boffins at the RSA Conference Europe event. Microsoft featured heavily and has put its backing behind a number of initiatives.

Firstly, in a keynote yesterday, Ben Fathi, Microsoft security chief for Windows development, explained the rigorous system that the software giant has in place to test the security of its products at every stage of the development lifecycle. Fathi said there has been a “cultural shift” at Microsoft over the last five to six years, since the roll out of the Trustworthy Computing initiative.

Fathi replaced Mike Nash to head up the Microsoft’s Security Technology Unit (STU) in March last year. Only seven months in the post, STU was merged with the Trustworthy Computing unit, in a management shake up, which may explain the cultural shift Fathi refers to.

The “single biggest thing that has changed at Microsoft has been the security development lifecycle", Fathi told delegates.

The cycle is made up of the six stages: Requirements, design, implementation, verification, release, response. Ethical – or white hat – hackers are even used to try and break into the products. Security is part of every stage, and every product that is made goes through this cycle.

These efforts have paid off, Fathi said, because Windows Vista has recorded 60% less malware than Windows XP.

Since this process of review, analysis and testing has been in place, Microsoft has put 300 products or new versions through its security paces. As a result, three products have been delayed because they didn’t make the grade, although Fathi didn’t disclose which ones. "These products were sent back to the products teams so that they could work out mitigation. This affected the release cycle but it was the right thing to do for our customers," Fathi said.

In fact, Microsoft as teamed up with Symantec, EMC, Juniper and SAP, to share its software development best practices with governments, academia and critical infrastructure providers. The body, known as the Software Assurance Forum for Excellence in Code (SAFECode), is another highlight from the conference.

Fathi also unveiled a report, the Security Intelligence Report, which found that Trojan attacks have exploded by 500% in one year.

The ultimate message from Microsoft, as Fathi points out, is that technology is only one part of the overall picture. “We always talk about technology, but there are three aspects to manage security – technology, people and processes. You have to have all thee working here together, otherwise businesses won’t address the data privacy needs of customers. And customers are going to vote with their feet. If a company abuses private information, then customers won’t buy products from that company any more.”

Strong words of advice there, from a company that has changed its outlook on security to address complaints from its own customer base.

"Recommended For You"

Microsoft developer: 'Fuzzing' key to Office security Microsoft patches Windows XP better than Vista